diff --git a/website/content/docs/k8s/deployment-configurations/servers-outside-kubernetes.mdx b/website/content/docs/k8s/deployment-configurations/servers-outside-kubernetes.mdx
index b82d9b563e..5f14a79b92 100644
--- a/website/content/docs/k8s/deployment-configurations/servers-outside-kubernetes.mdx
+++ b/website/content/docs/k8s/deployment-configurations/servers-outside-kubernetes.mdx
@@ -8,25 +8,22 @@ description: >-
# Join External Servers to Consul on Kubernetes
If you have a Consul cluster already running, you can configure your
-Consul clients inside Kubernetes to join this existing cluster.
+Consul on Kubernetes installation to join this existing cluster.
The below `values.yaml` file shows how to configure the Helm chart to install
-Consul clients that will join an existing cluster.
+Consul that will join an existing Consul server cluster.
The `global.enabled` value first disables all chart components by default
so that each component is opt-in. This allows us to _only_ setup the client
agents. We then opt-in to the client agents by setting `client.enabled` to
`true`.
-Next, `client.exposeGossipPorts` can be set to `true` or `false` depending on if
-you want the clients to be exposed on the Kubernetes internal node IPs (`true`) or
-their pod IPs (`false`).
-
-Finally, `client.join` is set to an array of valid
-[`-retry-join` values](/docs/agent/config/cli-flags#retry-join). In the
-example above, a fake [cloud auto-join](/docs/install/cloud-auto-join)
-value is specified. This should be set to resolve to the proper addresses of
-your existing Consul cluster.
+Next, configure `externalServers` to point it to Consul servers.
+The `externalServers.hosts` value must be provided and should be set to a DNS, an IP,
+or an `exec=` string with a command returning Consul IPs. Please see [this documentation](https://github.com/hashicorp/go-netaddrs)
+on how the `exec=` string works.externalServers
+Other values in the `externalServers` section are optional. Please refer to
+[Helm Chart configuration](https://developer.hashicorp.com/consul/docs/k8s/helm#h-externalservers) for more details.
@@ -34,26 +31,16 @@ your existing Consul cluster.
global:
enabled: false
-client:
- enabled: true
- # Set this to true to expose the Consul clients using the Kubernetes node
- # IPs. If false, the pod IPs must be routable from the external servers.
- exposeGossipPorts: true
- join:
- - 'provider=my-cloud config=val ...'
+externalServers:
+ hosts: []
```
--> **Networking:** Note that for the Kubernetes nodes to join an existing
-cluster, the nodes (and specifically the agent pods) must be able to connect
-to all other server and client agents inside and _outside_ of Kubernetes over [LAN](/docs/install/glossary#lan-gossip).
-If this isn't possible, consider running a separate Consul cluster inside Kubernetes
-and federating it with your cluster outside Kubernetes.
-You may also consider adopting Consul Enterprise for
-[network segments](/docs/enterprise/network-segments).
+-> **Note:** If you are looking to join Consul clients to an existing Consul server cluster,
+please see [this documentation](https://developer.hashicorp.com/consul/docs/v1.13.x/k8s/deployment-configurations/servers-outside-kubernetes).
-## Configuring TLS with Auto-encrypt
+## Configuring TLS
-> **Note:** Consul on Kubernetes currently does not support external servers that require mutual authentication
for the HTTPS clients of the Consul servers, that is when servers have either
@@ -62,10 +49,9 @@ As noted in the [Security Model](/docs/security#secure-configuration),
that setting isn't strictly necessary to support Consul's threat model as it is recommended that
all requests contain a valid ACL token.
-Consul's auto-encrypt feature allows clients to automatically provision their certificates by making a request to the servers at startup.
-If you would like to use this feature with external Consul servers, you need to configure the Helm chart with information about the servers
-so that it can retrieve the clients' CA to use for securing the rest of the cluster.
-To do that, you must add the following values, in addition to the values mentioned above:
+If the Consul server has TLS enabled, you would also need to provide the CA certificate that Consul on Kubernetes will
+need to talk to the server. First save this certificate in a Kubernetes secret and then provide it in your Helm values below,
+in addition to the values mentioned above:
@@ -73,19 +59,17 @@ To do that, you must add the following values, in addition to the values mention
global:
tls:
enabled: true
- enableAutoEncrypt: true
+ caCert:
+ secretName:
+ secretKey:
externalServers:
enabled: true
- hosts:
- - 'provider=my-cloud config=val ...'
+ hosts: []
```
-In most cases, `externalServers.hosts` will be the same as `client.join`, however, both keys must be set because
-they are used for different purposes: one for Serf LAN and the other for HTTPS connections.
-Please see the [reference documentation](/docs/k8s/helm#v-externalservers-hosts)
-for more info. If your HTTPS port is different from Consul's default `8501`, you must also set
+If your HTTPS port is different from Consul's default `8501`, you must also set
`externalServers.httpsPort`.
## Configuring ACLs
@@ -137,8 +121,7 @@ with `consul login`.
```yaml
externalServers:
enabled: true
- hosts:
- - 'provider=my-cloud config=val ...'
+ hosts: []
k8sAuthMethodHost: 'https://kubernetes.example.com:443'
```
@@ -156,17 +139,9 @@ global:
bootstrapToken:
secretName: bootstrap-token
secretKey: token
-client:
- enabled: true
- # Set this to true to expose the Consul clients using the Kubernetes node
- # IPs. If false, the pod IPs must be routable from the external servers.
- exposeGossipPorts: true
- join:
- - 'provider=my-cloud config=val ...'
externalServers:
enabled: true
- hosts:
- - 'provider=my-cloud config=val ...'
+ hosts: []
k8sAuthMethodHost: 'https://kubernetes.example.com:443'
```
@@ -184,17 +159,9 @@ global:
enabled: false
acls:
manageSystemACLs: true
-client:
- enabled: true
- # Set this to true to expose the Consul clients using the Kubernetes node
- # IPs. If false, the pod IPs must be routable from the external servers.
- exposeGossipPorts: true
- join:
- - 'provider=my-cloud config=val ...'
externalServers:
enabled: true
- hosts:
- - 'provider=my-cloud config=val ...'
+ hosts: []
k8sAuthMethodHost: 'https://kubernetes.example.com:443'
```